Twitter advises 330 million users to change passwords after security slip-up
Twitter has messed up. According to a post on the social network’s official blog, a pretty big mix up left passwords of the site’s 330 million users in plain text. And while there’s no sign of anyone stealing them while they were left open, Twitter is suggesting everyone take a minute to change their password out of an “abundance of caution.”
“We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system,” wrote Parag Agrawal, the chief technical officer at Twitter. “This allows our systems to validate your account credentials without revealing your password. This is an industry standard.
“Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.”
That is all that Twitter has said on the specifics of the problem, and there is no indication of how many users are affected or, indeed, how long this gaping hole in security has been open. The fact that Twitter is urging all of its users to change their passwords would indicate “lots” and “a while,” but we don’t know for sure.
On the site itself, Agrawal said that the company was sharing the information even though it didn’t have to, so that users can make an informed decision about their account security:
So should you change your password? Well yes, it certainly wouldn’t hurt, and it’s generally good practice to mix up your passwords regularly in any case, but there is a hierarchy of urgency here. If your Twitter password is unique to that site (via a password manager, say) and if you have 2FA enabled on Twitter, then realistically your account is at lower risk than one where you reuse the same password everywhere – although, to be fair, that was the case even before this announcement from Twitter.
If you sit in the latter camp then not only should you change your password right now, but you should go through the tedious process of updating every website which shares the same login. If Twitter is wrong and somebody did gain access to the passwords, then a cybercriminal’s first course of action is going to be to try those logins on sites all over the web.
READ NEXT: Which password manager is best?
It’s best to do yourself a favour and get a password manager to avoid this kind of problem in future, mind. I took the plunge two years ago: it took around an hour to move everything across, but I haven’t looked back since.